#1140225 bookworm-pu: package libvncserver/0.9.14+dfsg-1+deb12u2

#1140225#5
Date:
2026-06-17 12:22:28 UTC
From:
To:
Dear Release Managers,

I would like to close these bugs regarding bookworm through p-u:
https://bugs.debian.org/1138174
https://bugs.debian.org/1138253

[ Reason ]
This fixes CVE-2026-44988 and CVE-2026-50538 for bookworm.

[ Impact ]
CVE-2026-44988: A malicious VNC server can send a crafted
FramebufferUpdate rectangle which makes the client write beyond fixed-
size Gradient buffers.
CVE-2026-50538: A malicious VNC server can  force a connecting
libvncclient to write attacker-controlled data past the end of its
framebuffer without the need of authentication.

[ Tests ]
Build test and autopkgtest locally and on debusine.d.n:
https://debusine.debian.net/debian/developers/work-request/844226/

[ Risks ]
I consider the risks low as the fix consists exactly of upstream's
commits:
https://github.com/LibVNC/libvncserver/commit/5b27054
https://github.com/LibVNC/libvncserver/commit/540332b

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

#1140225#12
Date:
2026-06-30 05:55:15 UTC
From:
To:
Control: tags -1 + confirmed

Please go ahead.

Regards,

Adam